European consumer groups take action against Google’s ‘fast track to surveillance’

What happened

• Ten consumer groups, coordinated by the European Consumer Organisation (BEUC), have accused Google of putting users on a “fast-track to surveillance” by using deceptive design and misleading account sign-up options, granting the company access to excessive personal data in relation to its users.
• Regarding Google’s account sign-up process, the BEUC claims that through only a single click, Google makes it easy for consumers to consent to sharing their data. In contrast, it takes five clicks and 10 steps to disable Google’s trackers, which relate to site and app activity, YouTube history, and personalised advertising.
• BEUC further claimed that users are obliged to create a Google account when they want to use certain products and services, such as downloading apps from the Google Play store.
• According to the BEUC, groups from Czech, Norwegian, Greek, French, and Slovenian countries as well as others have filed complaints with their data protection authorities about Google’s practices, which allegedly breach GDPR. A German consumer body had also sent a warning letter to Google, ahead of a potential civil lawsuit.

Why it matters

• According to a BEUC spokeswoman, Google’s users are subjected to “surveillance by design and by default” when creating a Google account.
• This conflicts with the EU and UK GDPR requirement to protect user privacy by ensuring privacy and data protection is integrated into all activities involving personal data; a concept known as ‘data protection by design and default’.
• The ICO sets out in its guidance on data protection by design and by default that organisations should offer strong privacy defaults and user-friendly options and controls in respect of user preferences.
• Design features which lead or encourage users to follow an organisation’s preferred paths, such as by making an option to consent to tracking far less time consuming than disabling tracking, are not considered good practice by the ICO.
• Data protection authorities in Europe have issued their own similar interpretations on the concept of data protection by design and default, including the adoption of guidelines from the European Data Protection Board.
• DPIAs are an integral part of data protection by design and by default for high-risk processing activities. Organisations should ensure that their policies and procedures foster a ‘data protection by design and by default’ approach across the board, including the requirement to complete DPIAs where appropriate.

What happened

• In an open letter to public authorities published on the ICO website, the UK Information Commissioner John Edwards announced a revised approach to tackling data protection compliance within the public sector.
• Edwards said the approach will see the ICO working more closely with senior leaders across the public sector to “encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong”. 
• Under the new strategy, which will be trialled over the next two years, the ICO will only issue fines to public authorities in the most severe circumstances. Instead, in the case of non-compliance, the ICO will utilise its wider powers more frequently, including warnings, reprimands, and enforcement notices.
• The Commissioner’s rationale for the decision is to lessen the impact of fines on the public, claiming that public sector fines directly deplete the budget for essential services which in turn negatively impacts service users.
• According to the letter, the ICO will carry out its investigations into data breaches in the same manner and will follow up with organisations to ensure the necessary preventive and corrective actions are taken. Additionally, it will do more to publicise these cases by disclosing the amount of the fine that would have been imposed, for wider learning across all sectors.

Why it matters

• As a result of the revised approach, the Commissioner outlined the need for increased public sector involvement in the ICO’s data protection agenda. In particular, a greater commitment of time, money, and resources should be made to ensuring that data protection measures are fit for the long term. The letter also reiterated that this is a trial, which will be reconsidered if improvements are not demonstrated.
• To support the change, the Cabinet Office and Department for Digital, Culture, Media and Sport (DCMS) have agreed to create a cross-government senior leadership group to encourage compliance with high data protection standards.
• The ICO’s revised approach is the first of several new initiatives that will be set out in the coming weeks as part of ICO25 – the ICO’s new three-year strategic plan – to empower organisations to innovate while using people’s data responsibly.

What happened

• High Court judges have ruled that MI5, MI6 and GCHQ have been unlawfully given permission to access individuals’ communications data for the prevention or detection of serious crime under the Investigatory Powers Act 2016, which allows intelligence services and other government agencies to intercept private communications data.
• Data that can be accessed under the Act includes telephone records, text messages, location history and internet browsing history.
• Judges found that the ability of the UK’s intelligence services to authorise their own access to the private communications data of the public for investigating crime is unlawful.
• The case was brought by the human rights campaign group Liberty, which began its first legal challenge against the lawfulness of the UK’s bulk surveillance powers five years ago in 2017.

Why it matters

• Security services will now need independent authorisation to access private communications data, such as telephone and text message records, when carrying out criminal investigations, to verify that access is necessary and proportionate.
• This requirement already applies to the police and, following this judgment, will also apply to the security services.
• Surveillance safeguards must continue to be strengthened to protect privacy and free expression, Liberty says.